Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
We have the following:
a) Wireless Network WIFI-A withWPA2 Personal,a preshared key,client traffic in separate zone,AES,no client isolation,SSID visible,U-APSD enabled,Fast transition disabled,no MAC filter
b) Wireless Network WIFI-B withWPA2 Enterprise, (qith authentication from a Linux FreeRadius server)client traffic in separate zone,AES,client isolation enabled,SSID visible,U-APSD enabled,Fast transition disabled,no MAC filter
As further relevant configuration there is:
Interface INT-A of type Ethernet, hardware wlan4, IP 172.16.10.1/24 (=NET-A), MTU 1500, metric 20Interface INT-B of type Ethernet, hardware wlan4, IP 172.16.11.1/24 (=NET-A), MTU 1500, metric 20
Network services: Allow DNS from NET-A and from NET-B
Netwrok services: DHCP with range, DNS server, and default gateway suitable for NET-A and similarly for NET-B
Network protection: Allow Any from NET-A or NET-B to Internet IPv4/IPv6
When we connect an iPhon to WIFI-A, it can surf the internet fine. However, anything requiring the apple-id, in particular an initial configuration of a new iPhone does *not* work
When we connect the same iPhone to WIFI-B, the problem does not occur.
As far as I can tell, the only differences are about client isolation - which should not make a difference for communication iPhone to Appple; and WPA2 personal instead of WPA2 Enterprise - which I cannot imagine to make a difference.
What is wrong here?
Can we see pictures of the Edits of the DHCP servers?
Does doing #1 in Rulz (last updated 2019-04-17) provide any additional information?
Cheers - Bob
In reply to BAlfson:
By popular demand:
In reply to hagman_01:
As usual, all of your stuff is perfect. I'm guessing that there's either a bug that only comes into play when client isolation is enabled or that the iPhone doesn't "like" the way the UTM achieves client isolation. Does Sophos Support think this is a bug?
A few minutes later... Wait a minute. Does the Web Filtering log show that the same Profile & Filter were selected for access via both WLANs? What is different there with the Apple access attempts?